GE Measurement & Control. Cyber Security for Industrial Controls



Similar documents
GE Measurement & Control. Cyber Security for NERC CIP Compliance

Cyber Security for NERC CIP Version 5 Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet

Industrial Security Solutions

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

TRIPWIRE NERC SOLUTION SUITE

Computer System Security Updates

Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

Decrease your HMI/SCADA risk

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Symphony Plus Cyber security for the power and water industries

Protecting productivity with Plant Security Services

Industrial Security for Process Automation

IT Security and OT Security. Understanding the Challenges

SCADA Cyber Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Patching & Malicious Software Prevention CIP-007 R3 & R4

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Notable Changes to NERC Reliability Standard CIP-010-3

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

INCIDENT RESPONSE CHECKLIST

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Patch and Vulnerability Management Program

Seven Strategies to Defend ICSs

Testing Control Systems

Technology Solutions for NERC CIP Compliance June 25, 2015

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Cyber Security. Global solutions for energy automation. Benefit from certified products, system solutions.

Tips and Best Practices for Managing a Private Cloud

Automated Patch Management Service

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

SANS Top 20 Critical Controls for Effective Cyber Defense

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Securing the Service Desk in the Cloud

/ gridsecurity Cyber Security Global solutions for energy automation Answers for infrastructure and cities.

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Sygate Secure Enterprise and Alcatel

Standard CIP Cyber Security Systems Security Management

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Protecting Your Organisation from Targeted Cyber Intrusion

STREAM FRBC

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

How To Secure An Rsa Authentication Agent

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Network and Security Controls

Developing A Successful Patch Management Process

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Network Security Guidelines. e-governance

Document ID. Cyber security for substation automation products and systems

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

IBM Security QRadar Vulnerability Manager Version User Guide

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Active Directory Infrastructure Design Document

FEATURE COMPARISON BETWEEN WINDOWS SERVER UPDATE SERVICES AND SHAVLIK HFNETCHKPRO

Retention & Destruction

Alcatel-Lucent Services

Securing Data in Oracle Database 12c

Invensys Security Compliance Platform

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5

Standard: Event Monitoring

Information security controls. Briefing for clients on Experian information security controls

ABB s approach concerning IS Security for Automation Systems

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Using Symantec NetBackup with Symantec Security Information Manager 4.5

How To Secure Your System From Cyber Attacks

Our Cloud Offers You a Brighter Future

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Compliance Guide: PCI DSS

Mitigating Risks and Monitoring Activity for Database Security

QRadar SIEM 6.3 Datasheet

LogRhythm and NERC CIP Compliance

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Host-based Protection for ATM's

PCI Requirements Coverage Summary Table

BMC s Security Strategy for ITSM in the SaaS Environment

Office of Information Technology Hosted Services Service Level Agreement FY2009

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cyber Security Implications of SIS Integration with Control Networks

Transcription:

GE Measurement & Control Cyber Security for Industrial Controls

Contents Overview...3 Cyber Asset Protection (CAP) Software Update Subscription....4 SecurityST Solution Options...5 Centralized Account Management Options...5 Network Management Options............................................................................................. 5 Related Security Options and Integration Alternatives...6

Overview As a vendor of industrial controls, GE embraces its responsibilities to assist critical infrastructure owners to improve their security postures and support compliance efforts as they relate to GE provided equipment. Many of the product security features available for current controls, such Mark* VIe and EX2100e, are also available as enhancements for older controls, such as the EX2000, Mark V, EX2100, Mark VI. GE supports customer compliance efforts by providing baseline configuration documentation for current and certain legacy controls, supporting asset operator cyber vulnerability assessments and associated mitigations. GE s cyber security solution is comprised of the Cyber Asset Protection (CAP) Software Update Subscription, and the SecurityST* Appliance. The solution supports cyber security best practices such as centralized patch management, anti-virus/host intrusion detection updates, account management, logging and event management, intrusion detection and automated backup. The solution supports confidentiality, integrity and availability of critical controls and related networks, which in turn can be applied to support owner compliance towards cyber security regulations, standards, and guidelines, such as NEI 08-09, NERC CIP, WIB and ISA 99. Cyber Security for Industrial Controls 3

Cyber Asset Protection (CAP) Software Update Subscription A single solution does not exist that adequately addresses the patch management processes of both traditional information technology (IT) data networks and industrial control systems (ICSs). While IT patching typically requires relatively frequent downtime to deploy critical patches, any sudden or unexpected downtime of ICSs can have serious operational consequences. As a result, there are more stringent requirements for patch validation prior to implementation in ICS networks. The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) recognizes that control systems owners/operators should have an integrated plan that identifies a separate approach to patch management for ICS management in order to strengthen overall ICS security. US Department of Homeland Security, Recommended Practice for Patch Management of Control Systems, December 2008. The CAP Software Update Subscription supports critical infrastructure owners efforts to manage current patch levels and antivirus/host intrusion detection signatures, as well as enhanced backup to support continuity of operations. The patches and anti-virus/host intrusion detection signatures provided through the CAP Software Update Subscription have been evaluated for applicability, tested in a representative operational lab environment, documented securely delivered. Additionally, as patch change management is a core component of most cyber security standards, the CAP Software Update Subscription also provides a reporting application that supports related compliance documentation. The CAP Software Update Subscription can be applied locally or via the SecurityST appliance in a user acknowledged, centrally deployed fashion that provides significant time savings. Testing: GE maintains a validation lab in which OS and application patches and anti-virus/host intrusion detection signature updates are tested in a controlled, operationally representative environment, OS and major ControlST platform software revision at the customer site. Testing demonstrates that functional operation of the control and related interfaces, as well as the communication to the system is not adversely impacted by the updates. Further, updates are also tested for optional customer scope such as hardened switches, firewalls and SecurityST appliance. Any updates that are identified to potentially impact operations are excluded; these updates are documented and a mitigation strategy is developed to compensate for this security update. Any false positive identified by new signatures, which would quarantine files needed for Normal and Emergency operations are noted, and instruction on how to allow whitelist these files are included. Scripting: The updates are scripted into a single file that the operator can load manually onto each HMI or can deploy via the optional virtual CAP Security and Application Server. Either deployed at the host or network level, any scripted update actions must be acknowledged by the operator before being deployed. This limits potential for operator error or tampering. Secure Delivery: Scripted updates are transmitted to the site via secure sealed shipping envelope, whereby the chain of custody of the update is also maintained throughout transit until being delivered to site. Back Up and Recovery: Software provided to support backup and automated recovery of back up to support disaster recovery policy and practices. Applicability Evaluation and Status Reporting: GE reviews patches and anti-virus/host intrusion signatures for applicability on GE provided Windows OS machines, such as HMIs and servers, as well as network devices such as hardened switches and related SecurityST appliances. From this review, a candidate list of patches and updates is then tested in a representative lab environment to evaluate potential to impact Normal and Emergency Operations. Each update disk provides cumulative updates that provide the latest revision of updates and signatures, even if a previous update disk was not applied. Lastly, GE s patch management application supports patch change management compliance documentation by generating a report that shows the following: Listing of applicable updates to your system Status of the update (applied or missing) Update reference information, including patch number, bulletin ID and bulletin title US Computer Emergency Readiness Team (US CERT) level of severity associated with update Time required applying update in the representative operational test environment and whether or not a reboot is required 4 Cyber Security for Industrial Controls

Example status report SecurityST Solution Options Centralized Account Management Options Centralized account management supports unified administration of role based access control and least privilege. GE s cyber security solution for industrial controls uses an industry accepted, best-in-class Active Directory to easily integrate into plant wide, account management. Active Directory: Centrally updated security policies on GE Windows Based Machines and Active Directory Users, allowing unique identification, authentication and administration of users. Active directory can also be used to execute account policies related to aging and record retention. MS Radius Server: Integrates with Active Directory to extend centralized account management to Network Switches and Firewalls. The Certificate Authority Server: Maintains session authenticity between the GE provided controllers and the Authenticated User on domain controlled HMIs, enabling the Mark VIe control system and EX2100e generator excitation to operate in secure mode during normal operations. When operating in secure mode, the controller solely permits executables, on a hash protected, encrypted list defined in firmware. Additionally, when the controller(s) are operating in secure mode, all controller access is encrypted. This enables only users with the necessary certificate on authorized HMIs to access the controller. Network Management Options Network Intrusion Detection and Firewall: An integrated security appliance that monitors and protects the GE HMI network (Plant Data Highway) and GE Controller(s) (Unit Data Highway) network, providing detection of known or suspicious network activity. Security Information Event Management (SIEM): Collects logs from switches, Controller(s), HMIs, SecurityST appliance, Network Intrusion Detection/Firewall. The SIEM provides a single, centralized, and real-time display of activity throughout the GE network (Plant Data Highway and Unit Data Highway) to support correlation analysis. Cyber Security for Industrial Controls 5

Related Security Options and Integration Alternatives GE can provide integration support to help GE controls and their associated CAP architecture to be incorporated into higher level plant security architecture. GE can also provide additional engineering support of baseline device configurations, as needed per corporate or site policy. Integrated Factory Acceptance Testing of Security Scope: GE is able to support integrated cyber security Factory Acceptance Testing that allows the customer to minimize risk as it relates to integrating solutions into a broader plant policy and related architecture. 6 Cyber Security for Industrial Controls

GE Measurement & Control 1800 Nelson Rd Longmont, CO, USA 80538 Phone: +1-303-678-2600 or 800-835-5182 Fax: +1-303-678-2601 www.ge-mcs.com * Denotes a trademark of the General Electric Company. Windows is a registered trademark of Microsoft Corporation in the United States and other countries. Copyright 2012 General Electric Company. All rights reserved. GEA20360 (10/2012)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information